Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 9701] New: -f "filter" ignored when capturing from two interfaces

Wireshark-bugs: [Wireshark-bugs] [Bug 9701] New: -f "filter" ignored when capturing from two int

Date: Sat, 25 Jan 2014 14:40:36 +0000

Bug ID	9701
Summary	-f "filter" ignored when capturing from two interfaces
Classification	Unclassified
Product	Wireshark
Version	1.10.5
Hardware	x86
OS	Windows 8.1
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	TShark
Assignee	[email protected]
Reporter	[email protected]

Build Information:
C:\Temp>tshark -v
TShark 1.10.5 (SVNRev 54262 from /trunk-1.10)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without
Kerberos, with GeoIP.

Running on 64-bit Windows 8, build 9200, without WinPcap.
        Intel(R) Core(TM) i5-3550 CPU @ 3.30GHz, with 16280MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

C:\Temp>
--
When I capture on two interfaces simultaneously, the Wireshark GUI honors the
Capture Filter _expression_.  But tshark & dumpcap do not -- they ignore it.

I have an Intel Pro/1000 PF adapter in my PC, connected to the capture ports on
an in-line tap, and two packet streams traversing the tapped cable:  a ping to
10.1.2.3 and a TCP stream to 10.1.2.10

Case A:
c:\temp> dumpcap -i eth0 -w foo.pcapng -f "ip host 10.1.2.3"
In this case, I see one side (remember:  in-line tap) of the ping stream to
10.1.2.3 and nothing else (unsurprising, as the filter precludes traffic
to/from other addresses)

Case B:
c:\temp> dumpcap -i eth0 -i eth1 -w foo.pcapng -f "ip host 10.1.2.3"
In this case, I see both sides of the ping stream to 10.1.2.3 (unsurprising)
plus both sides of the TCP stream to 10.1.2.10 (surprising:  I would have
predicted that the filter would discard traffic to/from 10.1.2.10)

If I use the Wireshark GUI, filtering behaves as I would predict (i.e. I only
see traffic to/from 10.1.2.3).

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 9701] -f {filter expression} ignored when capturing from two interfaces
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9701] -f {filter expression} ignored when capturing from two interfaces
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 9697] Support for various versions of ASTERIX Categories
Next by Date: [Wireshark-bugs] [Bug 9701] -f {filter expression} ignored when capturing from two interfaces
Previous by thread: [Wireshark-bugs] [Bug 8956] Buildbot crash output: fuzz-2013-07-20-32544.pcap
Next by thread: [Wireshark-bugs] [Bug 9701] -f {filter expression} ignored when capturing from two interfaces
Index(es):
- Date
- Thread